[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)

8 v/ R/ E# p8 Y+ b$ HKeyboard Interrupt Hook using I/O APIC

By: chpie
$ g. X! e' p" }0 _0 @, NKeyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.


Summary :: Using the 8259a compatible PIC to be deliver the interrupt
& y5 k: B2 p' T3 w! ^6 ssignal by Delivery mode of the I/O APIC to be the ExtINT,
& E5 J: R$ Z# V. qthe interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
( u4 L& V1 S, k& y; i
  C' e- M' H: N" A& r; W4 Q0 N- It is higher priority of the hooking than the direct
2 P* Y  Q: \) r8 i2 k3 j/ Gmodification of the I/O APIC's vector.
9 G+ @% _  ~  o- The vector can be hidden on the thread getting the keyboard
7 \1 `) R/ I' z/ lvector from the I/O APIC.
! G. }& e( [7 k
Flow ::

/ N" G' `* x! G( t0 j1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
1 L( H( e- K2 k( h* R4 [5 e! _  \6. The processor Assert the INTA signal.
0 M, F7 ]+ y2 k4 e/ H% [' R' P' n7. The I/O APIC acknowledged.
8. The processor Assert the second INTA signal.
: F4 N0 {8 r  z& M2 l3 W9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.


* \) W# u  a4 lsourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip